Create, modify, delete cloud accounts

Create a Guardium cloud DB service account with your database credentials, and modify or delete the cloud account.

Create cloud account

About this task

Create cloud accounts to manage the connection between your cloud databases and Guardium®.

Tip: If you are managing multiple databases in this account, consider defining a default classification process so that you do not need to define the properties for each discovered database.

Procedure

  1. Browse to Discover > Database Discovery > Cloud DB Service Protection.
  2. Click Plus sign to open the Create Cloud DB Service Account Definition pane.
  3. Define the account:
    • Name: An account name that is unique to your site.
    • Provider: Select the provider name from the menu. Currently Amazon is the only available provider.
    • Audit type: Select Native.
    • AWS access key ID and AWS secret access key ID: Supplied by your cloud services provider. The account secret key functions as a password. Make sure that the access key and title are both unique so that you do not have multiple account names with the same access_id.
  4. Configure Database Auditing and Classification:
    • Default classification Process. Optional. All cataloged databases in this account are assigned to the specfied classification process. You can modify the classification process, per database, after they are cataloged.
    • Limit objects added automatically: When the DB Auditing is enabled, you can specify the maximum number of objects that are found by classification to automatically enable for object auditing. You can modify the number of objects to find, per database, after they are discovered. Objects that are enabled automatically appear as Enabled in the managed objects window. To add objects automatically, set a high but reasonable limit of what you expect the classification process to find. To prevent an overflow of objects if there is an error in your classification, don't set the limit too high (which can affect the database performance). Let's say that you set the limit to 15, and classification identifies five objects on the first run. Those five objects are enabled for DB Audit. The next classification run identifies five more objects, and those objects are also enabled. However, no new objects are enabled if the number of audited objects plus the number of newly classified objects exceeds the specified limit. Therefore, if the next Classification run identifies seven objects, then those objects are not enabled, because that will exceed the specified limit (15). If set to zero, objects are not automatically enabled for object auditing.
  5. Test access to the cloud. Click Test Access to make sure that your account has access to the cloud.
    If the test fails to access the cloud, check the following items:
    • Your Guardium system has access to Amazon.
    • You supplied the correct keys.
  6. Click Create.
    The account is created and the Cloud DB Service Accounts list updates with the new Cloud account.

What to do next

Discover databases and catalog them, set up classification and vulnerability assessment, and object auditing. For more information, see Discover cloud databases.

Modify a cloud account

You can modify all parameters except the provider.

Procedure

  1. Select the cloud account under Cloud DB Service Accounts, and click wrench icon in the right pane.
  2. Modify the configuration.
  3. If you modify any credentials, click Test Access to test the access to the cloud.
  4. Click Save.

Delete a cloud account

For data streams, deleting an account disconnents the database from the Guardium managed units. For native audit, deleting an account disables the object audit and the DB audit on all the databases owned by the current environment.

Procedure

  1. Select the account in the Cloud DB Service Accounts pane, click Minus sign icon, and confirm.
  2. Restart the DB from the DB console. If you do not have Amazon access to the DB, ask your DBA to disable DB auditing and to restart the DB. It's important to stop auditing and restart the DB so that the DB stops writing to the Guardium log files.